0

Hi all

I have been unable to use my main PC to log onto the internet since gaining a virus from somewhere no idea whats happening but I suspect that the resources are being used up by running programmes can anyone have a look at this HJT lofg and advise if at all possible.

Logfile of HijackThis v1.99.1
Scan saved at 19:31:35, on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1167336364\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1167336364\ee\AOLServiceHost.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\TEMP\1E2D5597.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\WinRAR\WinRAR.exe
c:\program files\common files\aol\1167336364\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1167336364\ee\AOLServiceHost.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\DOCUME~1\SHAUNT~1\LOCALS~1\Temp\Rar$EX01.047\HijackThis.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/?redirect
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - C:\WINDOWS\system32\nweipeg.dll
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hrcopul.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll",vuljcec
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167336364\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [fwewwqwe3] C:\WINDOWS\TEMP\1E2D5597.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [network administration] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [icasServ] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hkgaqge] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BoontyBox] "C:\Program Files\Boonty\BoontyBox\BoontyBox.exe" /boot
O4 - HKCU\..\Run: [AdPopup] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [acenotes] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [4bysw3l3aemdj#] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/pm/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167961038687
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://wanadoouk.oberon-media.com/online2/diner_dash/DinerDash.1.0.0.80.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


any help would greatly be appreciated.

2
Contributors
15
Replies
16
Views
10 Years
Discussion Span
Last Post by gerbil
0

I must say that i find your pc's inability to connect to the web a bit ironic, cos you have amongst other pests a backdoor trojan [ an IRC bot in this case], and that one would most definitely want to connect. A backdoor trojan?- it means that you have a trojan implanted which allows someone to control your computer. After this is over you will want to change passwords, esp any banking or other critical passwords...you have been keylogged.

Okay let's get started. It's going to be a pest but copy these downloads into the pc. They fit on a floppy. But first you must delete the instance of hijackthis you have used, and download a fresh copy from http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files. Rename the hijackthis.exe to imabunny.exe.
-when next you run it first close ALL other applications and any open windows including the explorer window containing HijackThis.

===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1

===Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

===ATF- Dclick ATF-Cleaner .exe to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Close ATF.

===Restart you computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.

===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Post the contents of the file Report.txt here.

Restart the pc in normal mode. If you can now get on the net....
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and update it.

Now start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.

Whether or not you got on the net re-run Hijackthis [as imabunny.exe] and check the following [if they exist] for fixing, and press Fix Selected.

C:\WINDOWS\TEMP\1E2D5597.exe
O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - C:\WINDOWS\system32\nweipeg.dll
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [hrcopul.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll",vuljcec

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE ==this one is benign, but a time waster.

O4 - HKLM\..\Run: [fwewwqwe3] C:\WINDOWS\TEMP\1E2D5597.exe
O4 - HKCU\..\Run: [icasServ] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hkgaqge] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdPopup] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [acenotes] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [4bysw3l3aemdj#] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://kc.bar.need2find.com/KC/menusearch.html?p=KC
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

If you could not get on the net before, restart now and try again, and if it works download and run AVG as above.

Post those logs.

0

Okay First of all I want to personally thank the poster that has helped me I have now been able to reconnect to the internet and things seem a lot smoother than they were before. I am indebted to you and would like to offer payment of some kind or a gift to be posted directly to yourself as you have saved me purchasing a new hard drive which I was on the verge od doing before you posted. PM me as I would like to recompense you somehow for the time you have spent assisting me with this problem which has solved a myriad of problems I was having here. Any further advice you wish to impart on speeding up this sluggish machine I would very much appreciate but the orignal problem I was having has been solved thanks to your time and knowledge.

I must say that i find your pc's inability to connect to the web a bit ironic, cos you have amongst other pests a backdoor trojan [ an IRC bot in this case], and that one would most definitely want to connect. A backdoor trojan?- it means that you have a trojan implanted which allows someone to control your computer. After this is over you will want to change passwords, esp any banking or other critical passwords...you have been keylogged.

Edited by pritaeas: Fixed formatting

0

A few things to clean up yet... fix them with iamabunny... :) as before [you didn't have to call it that, almost any name would have done; i was pulling your leg a bit..]
First off, and VERY IMPORTANTLY, we gotta go after that rootkit pe386. Note that SDFix found it, but it cannot remove it. Possibly the best thing I can do is to send you to this page http://www.geekstogo.com/forum/How_to_Remove_Rustock_b_pe386_lzx32_msguard_infections-t140682.html -- read down [note the SDfix report..] until you come to RustockB [pe386] removal instructions. Download the file from that link... ah, just follow the instructions! Post the log[s] it produces here. Immediately!!!
[honesty bit... I have not used this tool cos i do not have a rootkit to play with, but i trust the site implicitly...]

Done that, posted the log... now move onto these fixes:
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [network administration] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B57F951-2E37-448B-A41D-EEB095D9108B}: NameServer = 205.188.146.145

==you have an internet reset entry to wanadoo.... which is now orange. If you don't wish to keep this as a homepage fix this:
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
==if your relplayer is working fine then you could remove this new hardware detector:
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
==do you want boontybox to start every time? If not, stop it via its options, or just uninstall it via add/remove pgms.

==Start AVG antispyware again and change recommended action to Delete. Go into the infections/quarantine and remove all those files in there.

===Next try an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-the link to the scan is just above the padlock pic.... free online virus scan.. enter a valid? email and follow through, choosing My Computer for a full system scan. Run a cleaner, either ATF or CCleaner [see below] first.
Post the log it produces here.


You now have AVG Antispyware installed. Kept updated [after 30 days you do this manually if you keep it as a free service, and i recommend that you do - it is one of the best scanners out there..] so you could stop the AOL spyware service. After 30 days run an AVG scan any time you get an adware problem, just remember to update it immediately before you scan.

To speed up your sys... hmmm.. well, you have a mass of programs that startup when you turn on your computer, and surely some/many of those you will not use in a session, and some that you will use you can start manually from an icon. I suggest that you use the list of O4 entries in the HT log as a base to work from, and open every program and stop autoupdate checks [how often does new software get released anyway?], and stop pgms that you rarely use. How often do you adjust the Realplayer settings? Or use the logitech camera -it's sitting in your tray and blocking kB of RAM. Be sensible about these things. If Nero works well you do not need the nerocheck running just in case it finds a problem.... Java updater - it just does not work, yet every so often it looks for an update, but even when it is not looking a bit of it stays resident in RAM.
I do not know your computing habits so I cannot advise you what to stop, but there is stuff there that I would clear... how often do you use HP to scan etc?

Get these three pgms:
===Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything, but for the present please keep the default settings]. Put an icon on your desktop for regular use.
Run Adaware, doing a full system scan and finally remove all that it finds [rclick in the scan results window and select all, go next..]. If Adaware finds anything apart from cookies or your MRU list then, after removing those items you should repeat the scan [and removal] and so on until it comes up clean.

It is best to run a cleaner before you use either Adaware or AVG - it makes the logs easier to read.... I gave you ATF earlier, but another I use more often is this one:

===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
Run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Now select the Applications tab and Run Cleaner.
For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is a furphy, much loved on some websites, but cleaning it is unnecessary because windows dumps old unused entries anyway, and if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it.

===Get Spywareblaster here http://www.javacoolsoftware.com/downloads.html -- install it, put an icon on your desktop grouped with AVG and Adaware.... And every so often [fortnightly?] update them all and run them.
Finally..
===Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.5.0.10 is current....
[see what i mean? the auto java update is a waste of RAM and time - kill it via control panel > java, and do it whenever you update the antispyware stuff.]

Do all this stuff, and then you could be clear.
Cheers.
And post that new log... panda.. just to be sure.

0

and finally, but definitely not least.... :). I am glad i am able to help, and your response was thanks enough. I am tickled by it. [you may think the site, Daniweb, a worthy cause, though...]

PS... if you must put up an email address take simple steps to make scanning bots miss it - whenever they see that @ they zero in... so type addies something like yourname05[at]aol.com

0

A few things to clean up yet... fix them with iamabunny... :) as before [you didn't have to call it that, almost any name would have done; i was pulling your leg a bit..]
First off, and VERY IMPORTANTLY, we gotta go after that rootkit pe386. Note that SDFix found it, but it cannot remove it. Possibly the best thing I can do is to send you to this page http://www.geekstogo.com/forum/How_to_Remove_Rustock_b_pe386_lzx32_msguard_infections-t140682.html -- read down [note the SDfix report..] until you come to RustockB [pe386] removal instructions. Download the file from that link... ah, just follow the instructions! Post the log[s] it produces here. Immediately!!!
[honesty bit... I have not used this tool cos i do not have a rootkit to play with, but i trust the site implicitly...]

Done that, posted the log... now move onto these fixes:


okay pelog as follows

************************* Rustock.b-fix -- By ejvindh *************************
25/01/2007 18:31:33.50
******************* Pre-run Status of system *******************
Rootkit driver PE386 is found. Starting the unload-procedure....
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 70816
Total size: 70816 bytes.
Attempting to remove ADS...
system32: deleted 70816 bytes in 1 streams.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************

avenger as follows

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qkhuadvq
*******************
Script file located at: \??\C:\WINDOWS\pbhkprhg.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
-------------------------------------------

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [network administration] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B57F951-2E37-448B-A41D-EEB095D9108B}: NameServer = 205.188.146.145

==you have an internet reset entry to wanadoo.... which is now orange. If you don't wish to keep this as a homepage fix this:
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
==if your relplayer is working fine then you could remove this new hardware detector:
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
==do you want boontybox to start every time? If not, stop it via its options, or just uninstall it via add/remove pgms.

==Start AVG antispyware again and change recommended action to Delete. Go into the infections/quarantine and remove all those files in there.

===Next try an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-the link to the scan is just above the padlock pic.... free online virus scan.. enter a valid? email and follow through, choosing My Computer for a full system scan. Run a cleaner, either ATF or CCleaner [see below] first.
Post the log it produces here.

pandasoftware log


Incident Status Location
Virus:trj/torpig.a Disinfected Operating system
Potentially unwanted tool:application/need2find Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Need2FindBar Uninstall
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/baidubar Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@bs.serving-sys[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@doubleclick[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Shaun Thomas\Cookies\shaun_thomas@tribalfusion[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Shaun Thomas\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected I:\SDFix.exe[SDFix\apps\Process.exe]


You now have AVG Antispyware installed. Kept updated [after 30 days you do this manually if you keep it as a free service, and i recommend that you do - it is one of the best scanners out there..] so you could stop the AOL spyware service. After 30 days run an AVG scan any time you get an adware problem, just remember to update it immediately before you scan.

To speed up your sys... hmmm.. well, you have a mass of programs that startup when you turn on your computer, and surely some/many of those you will not use in a session, and some that you will use you can start manually from an icon. I suggest that you use the list of O4 entries in the HT log as a base to work from, and open every program and stop autoupdate checks [how often does new software get released anyway?], and stop pgms that you rarely use. How often do you adjust the Realplayer settings? Or use the logitech camera -it's sitting in your tray and blocking kB of RAM. Be sensible about these things. If Nero works well you do not need the nerocheck running just in case it finds a problem.... Java updater - it just does not work, yet every so often it looks for an update, but even when it is not looking a bit of it stays resident in RAM.
I do not know your computing habits so I cannot advise you what to stop, but there is stuff there that I would clear... how often do you use HP to scan etc?

Get these three pgms:
===Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything, but for the present please keep the default settings]. Put an icon on your desktop for regular use.
Run Adaware, doing a full system scan and finally remove all that it finds [rclick in the scan results window and select all, go next..]. If Adaware finds anything apart from cookies or your MRU list then, after removing those items you should repeat the scan [and removal] and so on until it comes up clean.

It is best to run a cleaner before you use either Adaware or AVG - it makes the logs easier to read.... I gave you ATF earlier, but another I use more often is this one:

===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
Run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Now select the Applications tab and Run Cleaner.
For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is a furphy, much loved on some websites, but cleaning it is unnecessary because windows dumps old unused entries anyway, and if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it.

===Get Spywareblaster here http://www.javacoolsoftware.com/downloads.html -- install it, put an icon on your desktop grouped with AVG and Adaware.... And every so often [fortnightly?] update them all and run them.
Finally..
===Finally: Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.5.0.10 is current....
[see what i mean? the auto java update is a waste of RAM and time - kill it via control panel > java, and do it whenever you update the antispyware stuff.]

Do all this stuff, and then you could be clear.
Cheers.
And post that new log... panda.. just to be sure.

New Hijack log as follows

Logfile of HijackThis v1.99.1
Scan saved at 21:46:27, on 25/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1167336364\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1167336364\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\program files\common files\aol\1167336364\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1167336364\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\imabunny.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/?redirect
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167336364\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Okay a couple of things now

Can't seem to locate the AOL spyware scan to disable it or delete it and would love to get rid of it.

the O4 running files that start up with the system just tell me which I can delete as the only thing I use this Pc for is to access the interbet download music/films and play poker on-line (expensive habit not recommended) so anything you recommend or would do yourself to the start menu just advise me.

Wasn't too sure whether you wanted me to do a panda scan again if so just advise and i'll run it again.

this programme keeps coming back even though I remove or fix it using hijack this, is this normal?

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

Once agin thanks for the help will check back soon for an update once you get chance to respond.

0

Great work! The rootkit pe386 is toast.

Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip unzip it onto your desktop.
Dclick killbox to start it. Select "Delete on reboot", click the "all files" button.
Highlight these three files below and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\TEMP\1E2D5597.exe
C:\WINDOWS\system32\nweipeg.dll
C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll,vuljcec

In killbox, go File menu, choose Paste from clipboard. Click the red and white button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]

On restart, go into Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account. Password is probably blank...
Open an explorer window, go Tools > folder options > view tab and select the button Show hidden files and folders, Apply and OK.
Now in that window navigate to and locate the three above files and delete them.
----------------------------------------------------------------------
Now we MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again and uncheck that box, Apply and OK.
[[another quick way in is Start > run, type sysdm.cpl and OK]]
Now make a fresh clean? restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!

==ctfmon.exe coming back [being called] like it is now is okay, it's a valid process; it was also being called earlier by some other keys which i wished removed - they are gone now.
==Panda removed a virus for us, but in the free scan they leave the spyware to us to remove.
==Panda found NEED2FIND [came with kazaa?, which is a DOG], but i cannot see it running anywhere... check Add/remove pgms - if it is there, uninstall it. Check C:\program files - if the folder need2find is there, delete it... [its contents first, if needs be].
==Panda refers to a dialler reg key, but before we delete it i would like to check it, so please export it: Go Start > Run, type regedit and hit OK. Expand the tree and locate the following key:
hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch -lclick switch to highlight it, go files, export, name the file dialersu, file type .txt and save it somewhere handy.
Altnet, Myway : uninstall these via add/remove pgms if there, and delete their folders.
---------------------
Right, send that regkey in... dialersu.txt.

0

Great work! The rootkit pe386 is toast.

Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip unzip it onto your desktop.
Dclick killbox to start it. Select "Delete on reboot", click the "all files" button.
Highlight these three files below and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-

C:\WINDOWS\TEMP\1E2D5597.exe
C:\WINDOWS\system32\nweipeg.dll
C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll,vuljcec

In killbox, go File menu, choose Paste from clipboard. Click the red and white button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]

On restart, go into Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account. Password is probably blank...
Open an explorer window, go Tools > folder options > view tab and select the button Show hidden files and folders, Apply and OK.
Now in that window navigate to and locate the three above files and delete them.

Okay couldn't find any of the above mentioned 3 files using this method. Does this mean they are not present on the system?

----------------------------------------------------------------------
Now we MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again and uncheck that box, Apply and OK.
[[another quick way in is Start > run, type sysdm.cpl and OK]]
Now make a fresh clean? restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!

Done - No problems!

==ctfmon.exe coming back [being called] like it is now is okay, it's a valid process; it was also being called earlier by some other keys which i wished removed - they are gone now.
==Panda removed a virus for us, but in the free scan they leave the spyware to us to remove.
==Panda found NEED2FIND [came with kazaa?, which is a DOG], but i cannot see it running anywhere... check Add/remove pgms - if it is there, uninstall it. Check C:\program files - if the folder need2find is there, delete it... [its contents first, if needs be].

When I followed the process below using Regedit I found the NEED2FIND folder but didn't like to delete it until you advised so left it there at the moment.

==Panda refers to a dialler reg key, but before we delete it i would like to check it, so please export it: Go Start > Run, type regedit and hit OK. Expand the tree and locate the following key:
hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch -lclick switch to highlight it, go files, export, name the file dialersu, file type .txt and save it somewhere handy.
Altnet, Myway : uninstall these via add/remove pgms if there, and delete their folders.
---------------------
Right, send that regkey in... dialersu.txt.

posted as above

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Switch
Class Name: <NO CLASS>
Last Write Time: 15/05/2005 - 14:44
Value 0
Name: DisplayName
Type: REG_SZ
Data: Switch Uninstall

Value 1
Name: UninstallString
Type: REG_SZ
Data: C:\Program Files\NCH Swift Sound\Switch\uninst.exe

0

nemesis, that regkey...
[Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Switch] you checked and posted is okay [scan picked up a false positive, is all], so just delete your copy of the text file from your sys if you kept one.
These 3 files....
C:\WINDOWS\TEMP\1E2D5597.exe
C:\WINDOWS\system32\nweipeg.dll
C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll,vuljcec
-Avenger got one, HT got another and AVG cleaned the last - i don't think i was being too zealous in getting you to do a final check for them... they are gone.
If there is no Need2find program files folder then it is gone. Ignore the key.
No Altnet or Myway folders in program files?
Then good, you are looking pretty clean.
CCleaner has a reg cleaner function - start it, select issues, check the 2 lefthand boxes [that automatically fills all the boxes] , Scan for Issues and then fix them. [which should, but may not, take care of any need2find reg entries]
Update and run Adaware - if it reports anything other than cookies or your MRU list items post the log.
Do another Panda scan, post the log if it finds anything other than cookies.
And just in case, this one: go to http://www.f-secure.com/blacklight/ and click the link at foot of page to download the latest version. Start it, agree, scan. If it finds anything, post it. [leave pc alone while it runs]

It's late now, so I'll get back to you soon on the O4s.
Cheers.

0

nemesis, that regkey...
[Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Switch] you checked and posted is okay [scan picked up a false positive, is all], so just delete your copy of the text file from your sys if you kept one.
These 3 files....
C:\WINDOWS\TEMP\1E2D5597.exe
C:\WINDOWS\system32\nweipeg.dll
C:\Documents and Settings\Shaun Thomas\Local Settings\Application Data\hrcopul.dll,vuljcec
-Avenger got one, HT got another and AVG cleaned the last - i don't think i was being too zealous in getting you to do a final check for them... they are gone.
If there is no Need2find program files folder then it is gone. Ignore the key.
No Altnet or Myway folders in program files?

No trace of these in program files

Then good, you are looking pretty clean.
CCleaner has a reg cleaner function - start it, select issues, check the 2 lefthand boxes [that automatically fills all the boxes] , Scan for Issues and then fix them. [which should, but may not, take care of any need2find reg entries]
Update and run Adaware - if it reports anything other than cookies or your MRU list items post the log.

Adaware was clear

Do another Panda scan, post the log if it finds anything other than cookies.


Incident Status Location
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Potentially unwanted tool:application/need2find Not disinfected hkey_current_user\software\Need2Find
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/baidubar Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Shaun Thomas\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe

And just in case, this one: go to http://www.f-secure.com/blacklight/ and click the link at foot of page to download the latest version. Start it, agree, scan. If it finds anything, post it. [leave pc alone while it runs]

This is clear.

It's late now, so I'll get back to you soon on the O4s.
Cheers.

Thanks for this again

0

Panda is picking up traces of need2find, wupd and baidubar adware pests. If you are not getting any ads or popups now then i would ignore their existence. To remove all the keys or files would take an inordinate effort.
Now that you appear clean, change your banking, email passwords if you have not already.
"It's late now, so I'll get back to you soon on the O4s."... still applies.. :)

0

Panda is picking up traces of need2find, wupd and baidubar adware pests. If you are not getting any ads or popups now then i would ignore their existence. To remove all the keys or files would take an inordinate effort.
Now that you appear clean, change your banking, email passwords if you have not already.
"It's late now, so I'll get back to you soon on the O4s."... still applies.. :)

You available to help with the O4's yet?

0

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

=SOUNDMAN.EXE places an icon in your system tray for diagnostic services on your Realtek sound sys. If you don't want it use its option list to kill it.
=RealPlay.exe puts a quick launch icon in your system tray - if you don't use it, remove it. If i did use a quick launch icon for it, it would be in the quick launch tray anyway, not the sys tray!
=igfxtray.exe is another system tray icon. Remove it; u can start its functions via the pgm anyway.
=hpcmpmgr.exe checks for HP driver updates. REmove it and do it manually every few months.
= HDAudPropShortcut.exe - if you don't use it, remove it. If its removal cuts features that you find that you like to have, then put it back.
=PRONoMgr.exe - gives access to diagnostic features of your ethernet card. How often do you need those? Remove it.
=hkcmd.exe puts up a system tray icon, and also gives you access so that you can use hotkeys to change video card settings. Do you do that? Remove it.
=jusched.exe tries, but it never did work for me, or many others I see. Disallow it via control panel > java, and check for updates manually, monthly.
=aoltray.exe -stuff in your sys tray uses resources... you can remove this and connect via a desktop icon which does not sit in memory.
=companion.exe - sys tray access to rarely? used AOL functions n utilities. You can access them other ways. Remove it.
=hpqtra08.exe -diagnostics access tht you ca get other ways whne needed. Remove it.
=hpqthb08.exe speeds up the first start of Image Zone in a session. Subsequent starts are faster anyway. So if you can bear the longer first start time, remove it.
That's about it. Stop these wherever possible from the application checkboxes, otherwise untick them in msconfig [Start > run, type msconfig, startup tab, and answer Yes at next boot], or failing that use hijackthis to fix them.
The O9s are extra buttons in your explorer windows. You decide, you can control them from the bar options.
There. Done. The O4's i do not mention specifically should not be touched.

0

Okay thanks for all the help up to now all implemented have a final look at the hijack logfile and advise whenever you have 2 minutes as I appreciate you are probably busy with other things. But things are working much faster here and I am really thankful you have spared this untechy person with your time and knowledge.

Cheers again

Nem

Logfile of HijackThis v1.99.1
Scan saved at 18:17:31, on 01/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\1167336364\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1167336364\ee\AOLServiceHost.exe
c:\program files\common files\aol\1167336364\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1167336364\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\imabunny.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/?redirect
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167336364\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B57F951-2E37-448B-A41D-EEB095D9108B}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

0

Nothing more to do, log is clean and as straightfwd as can be. I do not have access to AOL so i cannot advise you on any aspects of it, except to say that you can use it as an ISP without needing to take the utilities and auxiliary services. These are probably loaded depending upon settings you choose when you install the software. Try a custom install if it exists as an option and see what choices are provided.
Cheers, g.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.